Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe
-
Size
192KB
-
MD5
81e1743ca873a4fd9ec172c5a57c236d
-
SHA1
124af3bf4796489d6cd7df309631e1d88b4d9607
-
SHA256
90d0b0691479bd73f3e6cf274f6d3d8fab27c2adc8489a1f68e9429fe920e811
-
SHA512
abc65e510002bd437512fa9edf7b8329280803c05941174f87dcd6a57be15c33fc4f7ba8b171473b54130c417f828fc31748e3114d76cc729c998cbc778dfb46
-
SSDEEP
1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
resource yara_rule behavioral2/files/0x0011000000023221-2.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023218-6.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0008000000023228-8.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0009000000023038-14.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df7-18.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0002000000021df8-23.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000021df7-26.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000707-30.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0003000000000709-34.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000707-39.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x0004000000000709-43.dat GoldenEyeRansomware_Dropper_MalformedZoomit behavioral2/files/0x000300000000072f-46.dat GoldenEyeRansomware_Dropper_MalformedZoomit -
Modifies Installed Components in the registry 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED33C418-2F07-4973-B760-12A88137C550} {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED33C418-2F07-4973-B760-12A88137C550}\stubpath = "C:\\Windows\\{ED33C418-2F07-4973-B760-12A88137C550}.exe" {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B90D446-3251-4b06-A5EE-A99CF1D152C8} {ED33C418-2F07-4973-B760-12A88137C550}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7} {2680033C-A89D-471f-9091-39AAECD0687C}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5A6125-BEC1-4446-9AA2-200B75B996C8} {32F24C0A-1292-4459-813F-39555AB20713}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B} {C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92C2479-D162-4a31-9C81-6E796C2BF95F} 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7} {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BBA705-2265-4c92-9DBC-321E5D63531D}\stubpath = "C:\\Windows\\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe" {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2680033C-A89D-471f-9091-39AAECD0687C}\stubpath = "C:\\Windows\\{2680033C-A89D-471f-9091-39AAECD0687C}.exe" {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}\stubpath = "C:\\Windows\\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe" {2680033C-A89D-471f-9091-39AAECD0687C}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}\stubpath = "C:\\Windows\\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe" {32F24C0A-1292-4459-813F-39555AB20713}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}\stubpath = "C:\\Windows\\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe" {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8BBA705-2265-4c92-9DBC-321E5D63531D} {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794FA407-3C60-4662-94AF-261E91B94C1F} {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{794FA407-3C60-4662-94AF-261E91B94C1F}\stubpath = "C:\\Windows\\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe" {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D} {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}\stubpath = "C:\\Windows\\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe" {C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B92C2479-D162-4a31-9C81-6E796C2BF95F}\stubpath = "C:\\Windows\\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe" 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}\stubpath = "C:\\Windows\\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe" {ED33C418-2F07-4973-B760-12A88137C550}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2680033C-A89D-471f-9091-39AAECD0687C} {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F24C0A-1292-4459-813F-39555AB20713} {794FA407-3C60-4662-94AF-261E91B94C1F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F24C0A-1292-4459-813F-39555AB20713}\stubpath = "C:\\Windows\\{32F24C0A-1292-4459-813F-39555AB20713}.exe" {794FA407-3C60-4662-94AF-261E91B94C1F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}\stubpath = "C:\\Windows\\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe" {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe -
Executes dropped EXE 12 IoCs
pid Process 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 2988 {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe 3508 {C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe 644 {9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe {ED33C418-2F07-4973-B760-12A88137C550}.exe File created C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe File created C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe {2680033C-A89D-471f-9091-39AAECD0687C}.exe File created C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe File created C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe {794FA407-3C60-4662-94AF-261E91B94C1F}.exe File created C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe File created C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe File created C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe {32F24C0A-1292-4459-813F-39555AB20713}.exe File created C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe File created C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe {C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe File created C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe File created C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe Token: SeIncBasePriorityPrivilege 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe Token: SeIncBasePriorityPrivilege 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe Token: SeIncBasePriorityPrivilege 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe Token: SeIncBasePriorityPrivilege 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe Token: SeIncBasePriorityPrivilege 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe Token: SeIncBasePriorityPrivilege 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe Token: SeIncBasePriorityPrivilege 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe Token: SeIncBasePriorityPrivilege 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe Token: SeIncBasePriorityPrivilege 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe Token: SeIncBasePriorityPrivilege 2988 {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe Token: SeIncBasePriorityPrivilege 3508 {C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2000 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 96 PID 1940 wrote to memory of 2000 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 96 PID 1940 wrote to memory of 2000 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 96 PID 1940 wrote to memory of 388 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 97 PID 1940 wrote to memory of 388 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 97 PID 1940 wrote to memory of 388 1940 2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe 97 PID 2000 wrote to memory of 4364 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 98 PID 2000 wrote to memory of 4364 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 98 PID 2000 wrote to memory of 4364 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 98 PID 2000 wrote to memory of 3076 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 99 PID 2000 wrote to memory of 3076 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 99 PID 2000 wrote to memory of 3076 2000 {B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe 99 PID 4364 wrote to memory of 4420 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 101 PID 4364 wrote to memory of 4420 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 101 PID 4364 wrote to memory of 4420 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 101 PID 4364 wrote to memory of 3112 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 102 PID 4364 wrote to memory of 3112 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 102 PID 4364 wrote to memory of 3112 4364 {D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe 102 PID 4420 wrote to memory of 4376 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 103 PID 4420 wrote to memory of 4376 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 103 PID 4420 wrote to memory of 4376 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 103 PID 4420 wrote to memory of 1424 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 104 PID 4420 wrote to memory of 1424 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 104 PID 4420 wrote to memory of 1424 4420 {ED33C418-2F07-4973-B760-12A88137C550}.exe 104 PID 4376 wrote to memory of 4176 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 105 PID 4376 wrote to memory of 4176 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 105 PID 4376 wrote to memory of 4176 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 105 PID 4376 wrote to memory of 3424 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 106 PID 4376 wrote to memory of 3424 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 106 PID 4376 wrote to memory of 3424 4376 {8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe 106 PID 4176 wrote to memory of 1352 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 107 PID 4176 wrote to memory of 1352 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 107 PID 4176 wrote to memory of 1352 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 107 PID 4176 wrote to memory of 4012 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 108 PID 4176 wrote to memory of 4012 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 108 PID 4176 wrote to memory of 4012 4176 {F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe 108 PID 1352 wrote to memory of 1456 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 109 PID 1352 wrote to memory of 1456 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 109 PID 1352 wrote to memory of 1456 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 109 PID 1352 wrote to memory of 1680 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 110 PID 1352 wrote to memory of 1680 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 110 PID 1352 wrote to memory of 1680 1352 {2680033C-A89D-471f-9091-39AAECD0687C}.exe 110 PID 1456 wrote to memory of 4592 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 111 PID 1456 wrote to memory of 4592 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 111 PID 1456 wrote to memory of 4592 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 111 PID 1456 wrote to memory of 32 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 112 PID 1456 wrote to memory of 32 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 112 PID 1456 wrote to memory of 32 1456 {D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe 112 PID 4592 wrote to memory of 4904 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 113 PID 4592 wrote to memory of 4904 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 113 PID 4592 wrote to memory of 4904 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 113 PID 4592 wrote to memory of 4896 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 114 PID 4592 wrote to memory of 4896 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 114 PID 4592 wrote to memory of 4896 4592 {794FA407-3C60-4662-94AF-261E91B94C1F}.exe 114 PID 4904 wrote to memory of 2988 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 115 PID 4904 wrote to memory of 2988 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 115 PID 4904 wrote to memory of 2988 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 115 PID 4904 wrote to memory of 684 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 116 PID 4904 wrote to memory of 684 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 116 PID 4904 wrote to memory of 684 4904 {32F24C0A-1292-4459-813F-39555AB20713}.exe 116 PID 2988 wrote to memory of 3508 2988 {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe 117 PID 2988 wrote to memory of 3508 2988 {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe 117 PID 2988 wrote to memory of 3508 2988 {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe 117 PID 2988 wrote to memory of 2620 2988 {0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_81e1743ca873a4fd9ec172c5a57c236d_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exeC:\Windows\{B92C2479-D162-4a31-9C81-6E796C2BF95F}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exeC:\Windows\{D65B81F7-B8C9-4536-90D9-CA955BEB59D7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exeC:\Windows\{ED33C418-2F07-4973-B760-12A88137C550}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exeC:\Windows\{8B90D446-3251-4b06-A5EE-A99CF1D152C8}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exeC:\Windows\{F8BBA705-2265-4c92-9DBC-321E5D63531D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exeC:\Windows\{2680033C-A89D-471f-9091-39AAECD0687C}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exeC:\Windows\{D840C191-2CFC-4a5a-9D9E-A4C98BF531C7}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exeC:\Windows\{794FA407-3C60-4662-94AF-261E91B94C1F}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exeC:\Windows\{32F24C0A-1292-4459-813F-39555AB20713}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exeC:\Windows\{0C5A6125-BEC1-4446-9AA2-200B75B996C8}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exeC:\Windows\{C0B39F0E-CA0A-4d62-9E02-CFC9457D1A4D}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exeC:\Windows\{9D13892D-180D-4ece-A6FB-CA8D14FBFD8B}.exe13⤵
- Executes dropped EXE
PID:644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C0B39~1.EXE > nul13⤵PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0C5A6~1.EXE > nul12⤵PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{32F24~1.EXE > nul11⤵PID:684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{794FA~1.EXE > nul10⤵PID:4896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D840C~1.EXE > nul9⤵PID:32
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26800~1.EXE > nul8⤵PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8BBA~1.EXE > nul7⤵PID:4012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{8B90D~1.EXE > nul6⤵PID:3424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED33C~1.EXE > nul5⤵PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D65B8~1.EXE > nul4⤵PID:3112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B92C2~1.EXE > nul3⤵PID:3076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵PID:388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5f6a62f6c23abc1fc11b0c8ee2d475888
SHA19065ab3c4ed47caec92dab3138fb9aad4febddfc
SHA25678a3ff1171f4154707bfb22dc34a3035fcbec5dc2eaf3af19e288a8a8ae11b2b
SHA5125aa1115bdab8dda5968efdacdd0bc08eef8c984193f5b6e1d126cbba6cabf895dd701142665b3302da19bd33dc003038d4187ec602fdbb84739b21da28d40c9a
-
Filesize
192KB
MD5b75db6f9365c24882c57d5ff83fe0dbf
SHA1e64517d9d1b35735230361ddf0f822742b6706c3
SHA256aaab70da9dd1c6c9ca98ddb7ee591ca94dd6367c1738e9c197a7bbb671e92e4c
SHA5128b9713673bfb645d3059c1c1dff16a6ff9547315369e0edb80926d3c4255c36c6eb2096f974d23761cb7adf6466a6cfad5cd94769c12105616ac179af92a5a29
-
Filesize
192KB
MD529fa0d25b2dd0b024c450fcd54db314f
SHA1a01fbfb2248c8a57b43b3e5d713a2445eca2ef61
SHA25617bb93fa291d0d528522b84addf81a02cb3d546ec13821de9dc8969a2c460810
SHA5124bac242ee76a0105dd1e77e175a4c0f71eed7f548dcd9f1dda61f2e47dab28b65d339b5257f4070ccd6cc29ff14d9ec087b33378a88deca833c180d1c67b24c2
-
Filesize
192KB
MD58ee5ed7f1030a4ccd9795db5e340fed7
SHA1a96f84c7fbf7779562b5a3a227b6965eecc9ae0f
SHA2560fbbf62a1871b9ff097b92f7916c2e54b98a89ee02ee969c2ce84e9396f9322d
SHA51264acfaf9e57bc8a7339883bff2df0f29a56a174d74113a7896713538aae54b2e203b662929eb16d8b9f405a5e751534b528bca6aa4ea73d59e489033373917be
-
Filesize
192KB
MD5ee2f9d5b0a62a18843ce33ee95bcba4d
SHA1bd6d3d6884c0a3d1bad8a6de6b77c4daaa0d8b13
SHA256ac88b640c9478c7dafd34928773e01601926c8db1308df4367aa45631baddb64
SHA5122229ebd603b96b5a71ba64c418eed52714e384b59e01ac36bbac9232d98049191e1789eb5c526abc4d4536392200e43d14ba7833edcdc9fe3a2618b7cbdc228d
-
Filesize
192KB
MD59dec9cbef597c559fb48e55982d16108
SHA1acba07de7127565cd44a0d9113d793a503ffaf9e
SHA2567848b148da89da4b6aadff7092d5ec32b71bf503612daeedfdf73067783ff44e
SHA512cc7eebc4188ad8ea076f8950650eb530b444b1ac11627d1b2cf4ff4c6bc7d3ff9d40ae1113a785d76007c7f36e4a35a93bfc7a8011c763d65c5c8be351bacc22
-
Filesize
192KB
MD56962adeb8a2852c28b56bea84dc051b4
SHA15907305582039e400dd5d214a13f4a9bba30eb82
SHA256480de0a304e17a1b8c0de5334d98abffd05466c1b16532b2b1ceed37369871cd
SHA512c1f3b8cb3aac9f7f83eb7a47e4a91a79b7c4aef65a3ac8c4e3e5695b4e1fe3f54c24d8b572359537d2b6c7fe4a352c69d1e981089d7b1d5c4e6ec06ffea0bb6a
-
Filesize
192KB
MD59671dae3d90688980dde21da52be1951
SHA1d98e5f5bb90e0e57f6cf557ba6d2448759491b08
SHA256bff45c304fbf073b11471f423f3088354d7a58904d93c51de531258d4a01c46b
SHA51264f74269b5e907658c892411914039d44c280e94a5abda87353648811c6bf77e77241901c9fd96bad53049050866f00f20463a9cad4675812fafc9bfe2ceaddf
-
Filesize
192KB
MD5b504145634f79796411c82829d3921a7
SHA122fde7d1e723e8df472ea8c9d2a5e9263a0d0ba1
SHA2569928f7e2740af14a3d8e59d7a84906602cff695ec24c3039d5444d0901aa1718
SHA512043bcdab1c18f0ea3e0a8ef27765b192fda380828343a427bf6555f22172c0299f02259e5b4675740c94297595fb3b48822b2155d30e8d8e6917077066a53e56
-
Filesize
192KB
MD596278c90470dc1f051d664f363d4ce1b
SHA1a83a2bb684550a62bb7b499db2b20eda606a36d4
SHA25647f63746c867b7385831a4c34ae29fb4a8eb97b5fc4eb3d29dfe86ba5565c34e
SHA512bb7b2f64e50da6756d12f97c8cc8f0c9613d42bd3d2719d47dd14d1e52a709dc972301a2c22c8b4430b26174f0c1b886292c65221d69f9fb7eea61d970921e0d
-
Filesize
192KB
MD5fdfdc2075a8de66e869dafab01c012b5
SHA19aa543a7e925e9725b8f2b280ac5c06aad775724
SHA2566c62934fcdcdcad6dfe8c91335ccbb51d9421e93f2918164f982a95552c19470
SHA51268c9fc0be067dfe19d7e1b89ee4ef4f426f776e252f4b281cd01ea748044605770bfcf081361720617be7cfb970c521a1f25628b8c60c1b10f8dfb2231efddf2
-
Filesize
192KB
MD565b5b533d1f2566f31037a8da7b498a3
SHA1a185f384ba6de5c70fd76322f71aef42a74e81be
SHA25689d58a4b2e734b314236d54c8eefb5cf0e70a324ac891cf9737b0a52abe99509
SHA512244a6af78fa1cff489447e513fec448e626e58c1132c44f01ee3d518bb57ac7db2d4ba26d7e4bae18a36662aec88decd0ecbbb70bae56fa8e14b6ddedf45bb33